Description of problem: For some reason, Cluster Network Operator exposes what looks like a generic apiserver in port 9104 that seems to do nothing. Concretely: - It requires authentication (I used a cluster-admin client cert for testing) - It exposes a `/apis` endpoint that reports an empty APIGroupList - It exposes a bunch of generic API server metrics at `/metrics` endpoint (but no CNO-specific metric) - It exposes generic health endpoints. So it looks basically useless. The main problem is that its auto-generated TLS certificate has one month expiry. This can cause false but scaring red alerts should an OpenShift cluster face a security audit, where a random port scan is done and generic TLS checks are done of it. This kind of security scan is quite common. Version-Release number of selected component (if applicable): 4.10, but likely to be present in older versions as well. How reproducible: Always Steps to Reproduce: 1. Curl to port 9104 of the control plane node where CNO pod is running (use system:admin client cert) 2. 3. Actual results: An apparently useless generic API server is hit. Expected results: No useless generic API server listening at that port, or some info on what is that port exposed for. Additional info: The listen port seems to have been introduced at [1], but not sure from the refactoring why a refactoring like the one depicted at that commit would make this port to start being required. A quick test with a draft PR (thx Andreas)[2] didn't reveal any issue while disabling it. But it would be good to have confirmation on what is this before merging this change. [1] - https://github.com/openshift/cluster-network-operator/commit/ed469791d9938dcf13faec7e73bfe0ed1aea80af [2] - https://github.com/openshift/cluster-network-operator/pull/1424
Just need to wire up the bits for a service-serving-cert. Then this will go away (on bootstrapped clusters).
Verified this bug on 4.11.0-0.nightly-2022-06-11-054027 token=`oc create token prometheus-k8s -n openshift-monitoring` # oc get pod -n openshift-network-operator -o wide NAME READY STATUS RESTARTS AGE IP NODE NOMINATED NODE READINESS GATES network-operator-6bbdbb9bbc-p89z7 1/1 Running 0 2d1h 192.168.111.20 master-0 <none> <none> # oc exec -n openshift-monitoring -c prometheus prometheus-k8s-0 -- curl -H "Authorization: Bearer $token" https://192.168.111.20:9104/metrics -k % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 0 0 0 0 0 0 0 0 --:--:-- --:--:-- --:--:-- 0# HELP apiserver_audit_event_total [ALPHA] Counter of audit events generated and sent to the audit backend. # TYPE apiserver_audit_event_total counter apiserver_audit_event_total 0 # HELP apiserver_audit_requests_rejected_total [ALPHA] Counter of apiserver requests rejected due to an error in audit logging backend. # TYPE apiserver_audit_requests_rejected_total counter apiserver_audit_requests_rejected_total 0 # HELP apiserver_client_certificate_expiration_seconds [ALPHA] Distribution of the remaining lifetime on the certificate used to authenticate a request. # TYPE apiserver_client_certificate_expiration_seconds histogram apiserver_client_certificate_expiration_seconds_bucket{le="0"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="1800"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="3600"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="7200"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="21600"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="43200"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="86400"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="172800"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="345600"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="604800"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="2.592e+06"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="7.776e+06"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="1.5552e+07"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="3.1104e+07"} 0 apiserver_client_certificate_expiration_seconds_bucket{le="+Inf"} 2 apiserver_client_certificate_expiration_seconds_sum 6.305302434902146e+08 apiserver_client_certificate_expiration_seconds_count 2 # HELP apiserver_current_inflight_requests [STABLE] Maximal number of currently used inflight request limit of this apiserver per request kind in last second. # TYPE apiserver_current_inflight_requests gauge apiserver_current_inflight_requests{request_kind="mutating"} 0 apiserver_current_inflight_requests{request_kind="readOnly"} 0 # HELP apiserver_delegated_authn_request_duration_seconds [ALPHA] Request latency in seconds. Broken down by status code. # TYPE apiserver_delegated_authn_request_duration_seconds histogram apiserver_delegated_authn_request_duration_seconds_bucket{code="201",le="0.25"} 5910 apiserver_delegated_authn_request_duration_seconds_bucket{code="201",le="0.5"} 5910 apiserver_delegated_authn_request_duration_seconds_bucket{code="201",le="0.7"} 5910 apiserver_delegated_authn_request_duration_seconds_bucket{code="201",le="1"} 5910 apiserver_delegated_authn_request_duration_seconds_bucket{code="201",le="1.5"} 5910 apiserver_delegated_authn_request_duration_seconds_bucket{code="201",le="3"} 5910 apiserver_delegated_authn_request_duration_seconds_bucket{code="201",le="5"} 5910 apiserver_delegated_authn_request_duration_seconds_bucket{code="201",le="10"} 5910 apiserver_delegated_authn_request_duration_seconds_bucket{code="201",le="+Inf"} 5910 apiserver_delegated_authn_request_duration_seconds_sum{code="201"} 21.714198211000035 apiserver_delegated_authn_request_duration_seconds_count{code="201"} 5910 # HELP apiserver_delegated_authn_request_total [ALPHA] Number of HTTP requests partitioned by status code. # TYPE apiserver_delegated_authn_request_total counter apiserver_delegated_authn_request_total{code="201"} 5910 # HELP apiserver_delegated_authz_request_duration_seconds [ALPHA] Request latency in seconds. Broken down by status code. # TYPE apiserver_delegated_authz_request_duration_seconds histogram apiserver_delegated_authz_request_duration_seconds_bucket{code="201",le="0.25"} 4 apiserver_delegated_authz_request_duration_seconds_bucket{code="201",le="0.5"} 4 apiserver_delegated_authz_request_duration_seconds_bucket{code="201",le="0.7"} 4 apiserver_delegated_authz_request_duration_seconds_bucket{code="201",le="1"} 4 apiserver_delegated_authz_request_duration_seconds_bucket{code="201",le="1.5"} 4 .. ..
Since the problem described in this bug report should be resolved in a recent advisory, it has been closed with a resolution of ERRATA. For information on the advisory (Important: OpenShift Container Platform 4.11.0 bug fix and security update), and where to find the updated files, follow the link below. If the solution does not work for you, open a new bug report. https://access.redhat.com/errata/RHSA-2022:5069